Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also compare across forks.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also compare across forks.
base fork: rails/rails
...
head fork: rails/rails
  • 9 commits
  • 26 files changed
  • 2 commit comments
  • 8 contributors
Commits on Jan 28, 2013
@pietro pietro Bump version on gemspecs too. 40fdc15
@carlosantoniodasilva carlosantoniodasilva Merge pull request #9099 from pietro/2-3-gemspec-bump
Bump version on 2.3 gemspecs too.
d868a80
Commits on Feb 02, 2013
@morgancurrie morgancurrie use the decimal HTML escape code for single quotes instead of the hex…
… one so webkit-based browsers properly translate the code in form fields
88331c5
@rafaelfranca rafaelfranca Fix the tests related with single quotes being escaped
Closes #9144
Fixes #9145
c774a46
Commits on Feb 05, 2013
@kwstannard kwstannard Docs: Fixed bad exists? documentation.
Base#exists? does not actually take options like finder methods. Trying
to use what the documentation suggests will return a PG error because it
will look for a column named 'conditions'.

I changed the documentation to reflect how the exists? method actually
works.
d61f83d
Commits on Feb 06, 2013
@fxn fxn Merge pull request #9194 from kwstannard/2-3-stable
Docs: Fixed bad exists? documentation.
2e4aa39
Commits on Feb 10, 2013
@tenderlove tenderlove fixing attr_protected CVE-2013-0276 9a48f4c
Commits on Feb 11, 2013
@kratob kratob fix serialization vulnerability 5cfe833
@tenderlove tenderlove bumping to 2.3.17 02d553d
Showing with 97 additions and 71 deletions.
  1. +1 −1  actionmailer/Rakefile
  2. +2 −2 actionmailer/actionmailer.gemspec
  3. +1 −1  actionmailer/lib/action_mailer/version.rb
  4. +1 −1  actionpack/Rakefile
  5. +2 −2 actionpack/actionpack.gemspec
  6. +1 −1  actionpack/lib/action_pack/version.rb
  7. +19 −19 actionpack/test/template/active_record_helper_test.rb
  8. +3 −3 actionpack/test/template/erb_util_test.rb
  9. +10 −10 actionpack/test/template/form_helper_test.rb
  10. +5 −1 actionpack/test/template/text_helper_test.rb
  11. +1 −1  activerecord/Rakefile
  12. +2 −2 activerecord/activerecord.gemspec
  13. +17 −2 activerecord/lib/active_record/attribute_methods.rb
  14. +3 −3 activerecord/lib/active_record/base.rb
  15. +1 −1  activerecord/lib/active_record/version.rb
  16. +6 −0 activerecord/test/cases/base_test.rb
  17. +1 −1  activeresource/Rakefile
  18. +2 −2 activeresource/activeresource.gemspec
  19. +1 −1  activeresource/lib/active_resource/version.rb
  20. +1 −1  activesupport/activesupport.gemspec
  21. +1 −1  activesupport/lib/active_support/core_ext/string/output_safety.rb
  22. +1 −1  activesupport/lib/active_support/version.rb
  23. +5 −5 railties/Rakefile
  24. +3 −2 railties/guides/source/active_record_querying.textile
  25. +1 −1  railties/lib/rails/version.rb
  26. +6 −6 railties/railties.gemspec
View
2  actionmailer/Rakefile
@@ -54,7 +54,7 @@ spec = Gem::Specification.new do |s|
s.rubyforge_project = "actionmailer"
s.homepage = "http://www.rubyonrails.org"
- s.add_dependency('actionpack', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.3.17' + PKG_BUILD)
s.requirements << 'none'
s.require_path = 'lib'
View
4 actionmailer/actionmailer.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'actionmailer'
- s.version = '2.3.15'
+ s.version = '2.3.17'
s.summary = 'Service layer for easy email delivery and testing.'
s.description = 'Makes it trivial to test and deliver emails sent from a single service layer.'
@@ -10,5 +10,5 @@ Gem::Specification.new do |s|
s.require_path = 'lib'
- s.add_dependency 'actionpack', '= 2.3.15'
+ s.add_dependency 'actionpack', '= 2.3.17'
end
View
2  actionmailer/lib/action_mailer/version.rb
@@ -2,7 +2,7 @@ module ActionMailer
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
2  actionpack/Rakefile
@@ -78,7 +78,7 @@ spec = Gem::Specification.new do |s|
s.requirements << 'none'
- s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
s.add_dependency('rack', '~> 1.1.0')
s.require_path = 'lib'
View
4 actionpack/actionpack.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'actionpack'
- s.version = '2.3.15'
+ s.version = '2.3.17'
s.summary = 'Web-flow and rendering framework putting the VC in MVC.'
s.description = 'Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling easy unit/integration testing that doesn\'t require a browser.'
@@ -10,6 +10,6 @@ Gem::Specification.new do |s|
s.require_path = 'lib'
- s.add_dependency 'activesupport', '= 2.3.15'
+ s.add_dependency 'activesupport', '= 2.3.17'
s.add_dependency 'rack', '~> 1.1.0'
end
View
2  actionpack/lib/action_pack/version.rb
@@ -2,7 +2,7 @@ module ActionPack #:nodoc:
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
38 actionpack/test/template/active_record_helper_test.rb
@@ -213,15 +213,15 @@ def Post.content_columns() [ Column.new(:datetime, "written_on", "Written on") ]
end
def test_error_for_block
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>), error_messages_for("post")
- assert_equal %(<div class="errorDeathByClass" id="errorDeathById"><h1>1 error prohibited this post from being saved</h1><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>), error_messages_for("post", :class => "errorDeathByClass", :id => "errorDeathById", :header_tag => "h1")
- assert_equal %(<div id="errorDeathById"><h1>1 error prohibited this post from being saved</h1><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>), error_messages_for("post", :class => nil, :id => "errorDeathById", :header_tag => "h1")
- assert_equal %(<div class="errorDeathByClass"><h1>1 error prohibited this post from being saved</h1><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>), error_messages_for("post", :class => "errorDeathByClass", :id => nil, :header_tag => "h1")
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for("post")
+ assert_equal %(<div class="errorDeathByClass" id="errorDeathById"><h1>1 error prohibited this post from being saved</h1><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for("post", :class => "errorDeathByClass", :id => "errorDeathById", :header_tag => "h1")
+ assert_equal %(<div id="errorDeathById"><h1>1 error prohibited this post from being saved</h1><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for("post", :class => nil, :id => "errorDeathById", :header_tag => "h1")
+ assert_equal %(<div class="errorDeathByClass"><h1>1 error prohibited this post from being saved</h1><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for("post", :class => "errorDeathByClass", :id => nil, :header_tag => "h1")
end
def test_error_messages_for_escapes_html
@dirty_post = DirtyPost.new
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this dirty post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be &lt;em&gt;empty&lt;/em&gt;</li></ul></div>), error_messages_for("dirty_post")
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this dirty post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be &lt;em&gt;empty&lt;/em&gt;</li></ul></div>), error_messages_for("dirty_post")
end
def test_error_messages_for_handles_nil
@@ -230,7 +230,7 @@ def test_error_messages_for_handles_nil
def test_error_message_on_escapes_html
@dirty_post = DirtyPost.new
- assert_dom_equal "<div class=\"formError\">can't be &lt;em&gt;empty&lt;/em&gt;</div>", error_message_on(:dirty_post, :author_name)
+ assert_dom_equal "<div class=\"formError\">can&#39;t be &lt;em&gt;empty&lt;/em&gt;</div>", error_message_on(:dirty_post, :author_name)
end
def test_error_message_on_handles_nil
@@ -238,43 +238,43 @@ def test_error_message_on_handles_nil
end
def test_error_message_on
- assert_dom_equal "<div class=\"formError\">can't be empty</div>", error_message_on(:post, :author_name)
+ assert_dom_equal "<div class=\"formError\">can&#39;t be empty</div>", error_message_on(:post, :author_name)
end
def test_error_message_on_no_instance_variable
other_post = @post
- assert_dom_equal "<div class=\"formError\">can't be empty</div>", error_message_on(other_post, :author_name)
+ assert_dom_equal "<div class=\"formError\">can&#39;t be empty</div>", error_message_on(other_post, :author_name)
end
def test_error_message_on_with_options_hash
- assert_dom_equal "<div class=\"differentError\">beforecan't be emptyafter</div>", error_message_on(:post, :author_name, :css_class => 'differentError', :prepend_text => 'before', :append_text => 'after')
+ assert_dom_equal "<div class=\"differentError\">beforecan&#39;t be emptyafter</div>", error_message_on(:post, :author_name, :css_class => 'differentError', :prepend_text => 'before', :append_text => 'after')
end
def test_error_messages_for_many_objects
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li><li>User email can't be empty</li></ul></div>), error_messages_for("post", "user")
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li><li>User email can&#39;t be empty</li></ul></div>), error_messages_for("post", "user")
# reverse the order, error order changes and so does the title
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this user from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can't be empty</li><li>Author name can't be empty</li></ul></div>), error_messages_for("user", "post")
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this user from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can&#39;t be empty</li><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for("user", "post")
# add the default to put post back in the title
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can't be empty</li><li>Author name can't be empty</li></ul></div>), error_messages_for("user", "post", :object_name => "post")
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can&#39;t be empty</li><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for("user", "post", :object_name => "post")
# symbols work as well
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can't be empty</li><li>Author name can't be empty</li></ul></div>), error_messages_for(:user, :post, :object_name => :post)
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can&#39;t be empty</li><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for(:user, :post, :object_name => :post)
# any default works too
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this monkey from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can't be empty</li><li>Author name can't be empty</li></ul></div>), error_messages_for(:user, :post, :object_name => "monkey")
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this monkey from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can&#39;t be empty</li><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for(:user, :post, :object_name => "monkey")
# should space object name
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this chunky bacon from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can't be empty</li><li>Author name can't be empty</li></ul></div>), error_messages_for(:user, :post, :object_name => "chunky_bacon")
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this chunky bacon from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can&#39;t be empty</li><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for(:user, :post, :object_name => "chunky_bacon")
# hide header and explanation messages with nil or empty string
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><ul><li>User email can't be empty</li><li>Author name can't be empty</li></ul></div>), error_messages_for(:user, :post, :header_message => nil, :message => "")
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><ul><li>User email can&#39;t be empty</li><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for(:user, :post, :header_message => nil, :message => "")
# override header and explanation messages
header_message = "Yikes! Some errors"
message = "Please fix the following fields and resubmit:"
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>#{header_message}</h2><p>#{message}</p><ul><li>User email can't be empty</li><li>Author name can't be empty</li></ul></div>), error_messages_for(:user, :post, :header_message => header_message, :message => message)
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>#{header_message}</h2><p>#{message}</p><ul><li>User email can&#39;t be empty</li><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for(:user, :post, :header_message => header_message, :message => message)
end
def test_error_messages_for_non_instance_variable
@@ -284,10 +284,10 @@ def test_error_messages_for_non_instance_variable
@post = nil
#explicitly set object
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>), error_messages_for("post", :object => actual_post)
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for("post", :object => actual_post)
#multiple objects
- assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this user from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can't be empty</li><li>Author name can't be empty</li></ul></div>), error_messages_for("user", "post", :object => [actual_user, actual_post])
+ assert_dom_equal %(<div class="errorExplanation" id="errorExplanation"><h2>2 errors prohibited this user from being saved</h2><p>There were problems with the following fields:</p><ul><li>User email can&#39;t be empty</li><li>Author name can&#39;t be empty</li></ul></div>), error_messages_for("user", "post", :object => [actual_user, actual_post])
#nil object
assert_equal '', error_messages_for('user', :object => nil)
View
6 actionpack/test/template/erb_util_test.rb
@@ -8,7 +8,7 @@ class ErbUtilTest < Test::Unit::TestCase
assert_equal expected, html_escape(given)
end
- unless given == '"'
+ unless given == '"' || given == "'"
define_method "test_json_escape_#{expected.gsub /\W/, ''}" do
assert_equal ERB::Util::JSON_ESCAPE[given], json_escape(given)
end
@@ -26,10 +26,10 @@ def test_html_escape_passes_html_escpe_unmodified
assert_equal "<p>", escaped
assert escaped.html_safe?
end
-
+
def test_rest_in_ascii
(0..127).to_a.map(&:chr).each do |chr|
- next if %w(& " < >).include?(chr)
+ next if %w(& " < > ').include?(chr)
assert_equal chr, html_escape(chr)
end
end
View
20 actionpack/test/template/form_helper_test.rb
@@ -743,7 +743,7 @@ def test_nested_fields_for_with_an_existing_record_on_a_nested_attributes_one_to
assert_dom_equal expected, output_buffer
end
-
+
def test_nested_fields_for_with_existing_records_on_a_nested_attributes_one_to_one_association_with_explicit_hidden_field_placement
@post.author = Author.new(321)
@@ -754,7 +754,7 @@ def test_nested_fields_for_with_existing_records_on_a_nested_attributes_one_to_o
concat af.text_field(:name)
end
end
-
+
expected = '<form action="http://www.example.com" method="post">' +
'<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
'<input id="post_author_attributes_id" name="post[author_attributes][id]" type="hidden" value="321" />' +
@@ -799,7 +799,7 @@ def test_nested_fields_for_with_existing_records_on_a_nested_attributes_collecti
end
end
end
-
+
expected = '<form action="http://www.example.com" method="post">' +
'<input name="post[title]" size="30" type="text" id="post_title" value="Hello World" />' +
'<input id="post_comments_attributes_0_id" name="post[comments_attributes][0][id]" type="hidden" value="1" />' +
@@ -1195,8 +1195,8 @@ def test_default_form_builder_with_active_record_helpers
end
expected = %(<form action='http://www.example.com' method='post'>) +
- %(<div class='formError'>can't be empty</div>) +
- %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) +
+ %(<div class='formError'>can&#39;t be empty</div>) +
+ %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li></ul></div>) +
%(</form>)
assert_dom_equal expected, output_buffer
@@ -1213,14 +1213,14 @@ def test_default_form_builder_no_instance_variable
end
expected = %(<form action='http://www.example.com' method='post'>) +
- %(<div class='formError'>can't be empty</div>) +
- %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) +
+ %(<div class='formError'>can&#39;t be empty</div>) +
+ %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li></ul></div>) +
%(</form>)
assert_dom_equal expected, output_buffer
end
-
+
def test_default_form_builder_without_object
form_for(:post) do |f|
@@ -1229,8 +1229,8 @@ def test_default_form_builder_without_object
end
expected = %(<form action='http://www.example.com' method='post'>) +
- %(<div class='formError'>can't be empty</div>) +
- %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can't be empty</li></ul></div>) +
+ %(<div class='formError'>can&#39;t be empty</div>) +
+ %(<div class="errorExplanation" id="errorExplanation"><h2>1 error prohibited this post from being saved</h2><p>There were problems with the following fields:</p><ul><li>Author name can&#39;t be empty</li></ul></div>) +
%(</form>)
assert_dom_equal expected, output_buffer
View
6 actionpack/test/template/text_helper_test.rb
@@ -259,7 +259,6 @@ def test_auto_link_parsing
http://en.wikipedia.org/wiki/Wikipedia:Today%27s_featured_picture_%28animation%29/January_20%2C_2007
http://www.mail-archive.com/rails@lists.rubyonrails.org/
http://www.amazon.com/Testing-Equal-Sign-In-Path/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1198861734&sr=8-1
- http://en.wikipedia.org/wiki/Texas_hold'em
https://www.google.com/doku.php?id=gps:resource:scs:start
http://connect.oraclecorp.com/search?search[q]=green+france&search[type]=Group
http://of.openfoundry.org/projects/492/download#4th.Release.3
@@ -269,6 +268,11 @@ def test_auto_link_parsing
urls.each do |url|
assert_equal generate_result(url), auto_link(url)
end
+
+ assert_equal(
+ %{<a href="http://en.wikipedia.org/wiki/Texas_hold'em">http://en.wikipedia.org/wiki/Texas_hold&#39;em</a>},
+ auto_link("http://en.wikipedia.org/wiki/Texas_hold'em")
+ )
end
def generate_result(link_text, href = nil)
View
2  activerecord/Rakefile
@@ -192,7 +192,7 @@ spec = Gem::Specification.new do |s|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
- s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
s.files.delete FIXTURES_ROOT + "/fixture_database.sqlite"
s.files.delete FIXTURES_ROOT + "/fixture_database_2.sqlite"
View
4 activerecord/activerecord.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'activerecord'
- s.version = '2.3.15'
+ s.version = '2.3.17'
s.summary = 'Implements the ActiveRecord pattern for ORM.'
s.description = 'Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL.'
@@ -13,5 +13,5 @@ Gem::Specification.new do |s|
s.rdoc_options = ['--main', 'README']
s.extra_rdoc_files = ['README']
- s.add_dependency 'activesupport', '= 2.3.15'
+ s.add_dependency 'activesupport', '= 2.3.17'
end
View
19 activerecord/lib/active_record/attribute_methods.rb
@@ -80,7 +80,9 @@ def define_attribute_methods
end
unless instance_method_already_implemented?("#{name}=")
- if create_time_zone_conversion_attribute?(name, column)
+ if self.serialized_attributes[name]
+ define_write_method_for_serialized_attribute(name)
+ elsif create_time_zone_conversion_attribute?(name, column)
define_write_method_for_time_zone_conversion(name)
else
define_write_method(name.to_sym)
@@ -130,7 +132,7 @@ def cache_attribute?(attr_name)
# Suffixes a, ?, c become regexp /(a|\?|c)$/
def rebuild_attribute_method_regexp
suffixes = attribute_method_suffixes.map { |s| Regexp.escape(s) }
- @@attribute_method_regexp = /(#{suffixes.join('|')})$/.freeze
+ @@attribute_method_regexp = /(#{suffixes.join('|')})\z/.freeze
end
# Default to =, ?, _before_type_cast
@@ -184,6 +186,19 @@ def define_question_method(attr_name)
def define_write_method(attr_name)
evaluate_attribute_method attr_name, "def #{attr_name}=(new_value);write_attribute('#{attr_name}', new_value);end", "#{attr_name}="
end
+
+ # Defined for all serialized attributes. Disallows assigning already serialized YAML.
+ def define_write_method_for_serialized_attribute(attr_name)
+ method_body = <<-EOV
+ def #{attr_name}=(value)
+ if value.is_a?(String) and value =~ /^---/
+ raise ActiveRecordError, "You tried to assign already serialized content to #{attr_name}. This is disabled due to security issues."
+ end
+ write_attribute(:#{attr_name}, value)
+ end
+ EOV
+ evaluate_attribute_method attr_name, method_body, "#{attr_name}="
+ end
# Defined for all +datetime+ and +timestamp+ attributes when +time_zone_aware_attributes+ are enabled.
# This enhanced write method will automatically convert the time passed to it to the zone stored in Time.zone.
View
6 activerecord/lib/active_record/base.rb
@@ -2998,11 +2998,11 @@ def convert_number_column_value(value)
def remove_attributes_protected_from_mass_assignment(attributes)
safe_attributes =
if self.class.accessible_attributes.nil? && self.class.protected_attributes.nil?
- attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
elsif self.class.protected_attributes.nil?
- attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| !self.class.accessible_attributes.include?(key.gsub(/\(.+/m, "")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
elsif self.class.accessible_attributes.nil?
- attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/, "")) }
+ attributes.reject { |key, value| self.class.protected_attributes.include?(key.gsub(/\(.+/m,"")) || attributes_protected_by_default.include?(key.gsub(/\(.+/m, "")) }
else
raise "Declare either attr_protected or attr_accessible for #{self.class}, but not both."
end
View
2  activerecord/lib/active_record/version.rb
@@ -2,7 +2,7 @@ module ActiveRecord
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
6 activerecord/test/cases/base_test.rb
@@ -1499,6 +1499,12 @@ def test_nil_serialized_attribute_with_class_constraint
assert_nil topic.content
end
+ def test_should_raise_exception_on_assigning_already_serialized_content
+ topic = Topic.new
+ serialized_content = %w[foo bar].to_yaml
+ assert_raise(ActiveRecord::ActiveRecordError) { topic.content = serialized_content }
+ end
+
def test_should_raise_exception_on_serialized_attribute_with_type_mismatch
myobj = MyObject.new('value1', 'value2')
topic = Topic.new(:content => myobj)
View
2  activeresource/Rakefile
@@ -66,7 +66,7 @@ spec = Gem::Specification.new do |s|
s.files = s.files + Dir.glob( "#{dir}/**/*" ).delete_if { |item| item.include?( "\.svn" ) }
end
- s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
s.require_path = 'lib'
View
4 activeresource/activeresource.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'activeresource'
- s.version = '2.3.15'
+ s.version = '2.3.17'
s.summary = 'Think Active Record for web resources.'
s.description = 'Wraps web resources in model classes that can be manipulated through XML over REST.'
@@ -13,5 +13,5 @@ Gem::Specification.new do |s|
s.rdoc_options = ['--main', 'README']
s.extra_rdoc_files = ['README']
- s.add_dependency 'activesupport', '= 2.3.15'
+ s.add_dependency 'activesupport', '= 2.3.17'
end
View
2  activeresource/lib/active_resource/version.rb
@@ -2,7 +2,7 @@ module ActiveResource
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
2  activesupport/activesupport.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'activesupport'
- s.version = '2.3.15'
+ s.version = '2.3.17'
s.summary = 'Support and utility classes used by the Rails framework.'
s.description = 'Utility library which carries commonly used classes and goodies from the Rails framework'
View
2  activesupport/lib/active_support/core_ext/string/output_safety.rb
@@ -2,7 +2,7 @@
class ERB
module Util
- HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;', "'" => '&#x27;' }
+ HTML_ESCAPE = { '&' => '&amp;', '>' => '&gt;', '<' => '&lt;', '"' => '&quot;', "'" => '&#39;' }
JSON_ESCAPE = { '&' => '\u0026', '>' => '\u003E', '<' => '\u003C' }
# A utility method for escaping HTML tag characters.
View
2  activesupport/lib/active_support/version.rb
@@ -2,7 +2,7 @@ module ActiveSupport
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
10 railties/Rakefile
@@ -313,11 +313,11 @@ spec = Gem::Specification.new do |s|
EOF
s.add_dependency('rake', '>= 0.8.3')
- s.add_dependency('activesupport', '= 2.3.16' + PKG_BUILD)
- s.add_dependency('activerecord', '= 2.3.16' + PKG_BUILD)
- s.add_dependency('actionpack', '= 2.3.16' + PKG_BUILD)
- s.add_dependency('actionmailer', '= 2.3.16' + PKG_BUILD)
- s.add_dependency('activeresource', '= 2.3.16' + PKG_BUILD)
+ s.add_dependency('activesupport', '= 2.3.17' + PKG_BUILD)
+ s.add_dependency('activerecord', '= 2.3.17' + PKG_BUILD)
+ s.add_dependency('actionpack', '= 2.3.17' + PKG_BUILD)
+ s.add_dependency('actionmailer', '= 2.3.17' + PKG_BUILD)
+ s.add_dependency('activeresource', '= 2.3.17' + PKG_BUILD)
s.rdoc_options << '--exclude' << '.'
View
5 railties/guides/source/active_record_querying.textile
@@ -867,10 +867,11 @@ Client.exists?(1,2,3)
Client.exists?([1,2,3])
</ruby>
-Further more, +exists+ takes a +conditions+ option much like find:
+Further more, +exists+ takes a hash or array like what you would pass into a +conditions+ option:
<ruby>
-Client.exists?(:conditions => "first_name = 'Ryan'")
+Client.exists?(:first_name => 'Ryan')
+Client.exists?(['first_name = ?', 'Ryan'])
</ruby>
It's even possible to use +exists?+ without any arguments:
View
2  railties/lib/rails/version.rb
@@ -2,7 +2,7 @@ module Rails
module VERSION #:nodoc:
MAJOR = 2
MINOR = 3
- TINY = 16
+ TINY = 17
STRING = [MAJOR, MINOR, TINY].join('.')
end
View
12 railties/railties.gemspec
@@ -1,6 +1,6 @@
Gem::Specification.new do |s|
s.name = 'rails'
- s.version = '2.3.15'
+ s.version = '2.3.17'
s.summary = 'Web-application framework with template engine, control-flow layer, and ORM.'
s.description = "Rails is a framework for building web-application using CGI, FCGI, mod_ruby, or WEBrick\non top of either MySQL, PostgreSQL, SQLite, DB2, SQL Server, or Oracle with eRuby- or Builder-based templates."
@@ -14,9 +14,9 @@ Gem::Specification.new do |s|
s.rdoc_options = ['--exclude', '.']
s.add_dependency 'rake', '>= 0.8.3'
- s.add_dependency 'activesupport', '= 2.3.15'
- s.add_dependency 'activerecord', '= 2.3.15'
- s.add_dependency 'actionpack', '= 2.3.15'
- s.add_dependency 'actionmailer', '= 2.3.15'
- s.add_dependency 'activeresource', '= 2.3.15'
+ s.add_dependency 'activesupport', '= 2.3.17'
+ s.add_dependency 'activerecord', '= 2.3.17'
+ s.add_dependency 'actionpack', '= 2.3.17'
+ s.add_dependency 'actionmailer', '= 2.3.17'
+ s.add_dependency 'activeresource', '= 2.3.17'
end

Showing you all comments on commits in this comparison.

@grosser

looks like that would mean enter "---" into a textfield -> boom oO

@grosser

Ok, only for serialized values, so not really a problem.

Something went wrong with that request. Please try again.